Web Content Viewer (JSR 286)- Asponte Custom Skin

Spectre and Meltdown CPU Vulnerabilities and Konica Minolta MFPs

Based on current knowledge, the threat likelihood is extremely low for Konica Minolta products.

CPU hardware implementations are vulnerable to cache side-channel attacks. These vulnerabilities are referred to as Meltdown and Spectre. Both Spectre and Meltdown take advantage of the ability to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel. These attacks are described in detail by Google Project Zero, the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz) and Anders Fogh.

Note: For explanation of CVSS, refer to the first.org web site. Since the CVSS score may be updated occasionally, check the latest status on CVE's website. In addition, the CVSS score may be different for each security agency.

3. Risk for MFPs

At this time the vulnerability only exists when a malicious program is executed on the target device, if executed, the program can access data stored in memory that should normally be protected by the system (Memory of kernel area of OS, memory of each process and memory of each virtual machine). It is important to know that the Memory data cannot be exposed remotely to an external network.

Several Konica Minolta MFPs contain ARM or Intel processors which are possibly affected by the Meltdown and Spectre vulnerability.

In order for an attacker to exploit this vulnerability in MFPs, it is necessary to execute a malicious program on the target machine by tampering with the internal firmware.

In addition, ISO 15408 certified MFPs contain a firmware verification feature. When rewriting the main unit's firmware, a hash value check is run to see if the firmware data was tampered with. If the hash values don't match, an alert is issued, and the firmware is not rewritten. In addition, when enhanced security mode is enabled, hash value checks are performed every time the main power source is turned ON. If the hash values don't match, an alert is issued, and starting the main MFP unit is prohibited.

Because of these fail-safe mechanisms it is extremely difficult for an attacker to embed the exploitive code into the MFP and execute it.

For these reasons, KMI is not currently planning to release updated firmware for Spectre or Meltdown because of the very low risk of this vulnerability to attack our MFPs.

4. For PP controllers, Fiery and Creo

Because EFI Fiery and Creo controllers also contains Intel CPUs, they are affected by the Meltdown vulnerability. EFI announced the status on their public website and via a partner bulletin, shown below.

The recently discovered security threats Meltdown and Spectre have left virtually every modern device from servers to PCs and smartphones vulnerable to hackers, who could potentially steal your sensitive business and personal data. In order to keep your systems and your information safe, you need to update ALL of your systems and machines with the latest vendor patches and fixes. Our security experts have been testing and monitoring the status of all vendor released fixes, and can help you keep your critical data safe and secure. If you would like our security experts to help you mitigate the risks brought on by Meltdown and Spectre, please let us know.